Back in May I was asked to give a presentation to law enforcement. The presentation is here. Since then, I have been asked to clarify the advantage of using DNS as opposed to HTTP when conducting an investigation. It is not that one would use DNS instead of HTTP, but use DNS first to assess if further investigation into HTTP and other protocols is warranted. I will use the same example I used in the presentation to explain.
When a browser or application (here in I will just use ‘browser’) goes to a website it almost always does a DNS request first for the site that the user is looking for. The DNS request is basically asking “What server houses the site I am looking for”? In the simplest case, the browser makes a DNS request for an address based on the bookmark, link, or address entered. A DNS response to the request comes back with the IP address. The Browser then connects to the IP address and asks for the particular URL.
The capture below shows the DNS request and response in green and the request for the URL in blue. In this particular example, the user requested to goto http://www.facebook.com. Frame 1 shows the DNS request for www.facebook.com and frame 2 shows the response from the DNS server indicating the browser should connect to 69.63.180.15. Then in frames 3,4,5 you see the connection to 69.63.180.15 and finally in frame 6, the request for the root web page.
DNS lookup and HTTP get of www.facebook.com
Frames 7 and on are the data being transferred, along with other HTTP GETs made. In fact, that one request for a web page generated many HTTP GET Requests. You can see all the HTTP GET requests for http://www.facebook.com in the capture below.
Facebook homepage all HTTP GET requests
During an investigation if initially you capture the HTTP requests, it is a lot harder to walk though each one and determine what the request is asking, what the response is, and determine if each request has relevance to the investigation. It can be done, but it is more work and more time. While this effort may be necessary, often at the beginning of an investigation you want to determine first if further investigation is required. Suppose you are investigating an individual suspected of selling stolen items on Ebay. If you never see a DNS request to go to ebay or another auction site from that user, it may not make any sense and be a waste of time to investigate further – maybe you have the wrong individual.
When I have been asked to determine what a particular user, employee, or service is doing I usually always start with DNS. By extracting what the subject was trying to lookup in DNS, you can quickly compile a time-line of sites and applications they were using. From this data, you can determine if you need to investigate further and if so what applications, sites, and protocols you should focus on. I find this allows me to focus my investigation easier, and not waste time looking at data that is not relevant to the investigation.
DNS has a few other advantages too. It is not encrypted so it is easy to analyze. It is the standard directory of the internet and used by most if not all applications and services. While I acknowledge that a serious ‘anti-forensic’ individual or group might set-up and deploy infastructure to avoid detection via DNS such as VPN tunnel, their own DNS services for sites and applications where they wish to not be easily tracked, this is not typical behaviour and would be the exception not the rule.
Comments